[dix] Re: Gathering requirements for in-browser OpenID support

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Oct 20 19:40:01 UTC 2006 

Hi All....

My name is Eddy Nigg and I'm the COO of the StartCom CA. This is my
first post to this list, so I decided to introduce myself....

Pete Rowley wrote:
> Despite the spec being called OpenID Authentication, authentication is
> actually out of scope i.e. the actual methods of authentication aren't
> specified. The spec really defines a method of third party assertion
> of an identifier being linked to a session through an implicit trust
> relationship. That's really the context of my "outside the protocol"
> qualifier.
This was actually a question I wanted to ask, because I couldn't find
really an answer, but perhaps was already asked and debated: Is there an
authentication trust bit in the Spec 2.0, such as Class X verifications
at certification authorities. And if not, than the question is, why
not....Or is this in planning for later? And what is this "outside
qualifier"?

Alaric Dailey wrote:
> This leads me to a couple of question that I haven't had time to
> research (by looking thru the spec)... Other than just getting a
> sample member page working.
>
> Is SSL going to be required (to protect the users data en-route)?
> DNSSEC to validate the DNS hasn't been modified?
>
If the "requirements" of SSL (and DNSSEC) are up to the IdP to implement
OpenID securely, how can this network be ever extended beyond forum and
blog logins? Also here I'm a little bit clueless. The specs speaks about
signing of the authentication messages, but there seems to be no
securing (explicit) of the data in any other way?

Thanks for your answers!
-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061020/e56a5eaa/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061020/e56a5eaa/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061020/e56a5eaa/attachment-0002.bin>

More information about the general mailing list